Can presenting 3CX to the Internet ever be safe ?

Discussion in '3CX Phone System - General' started by Fatboy40, Aug 10, 2010.

Thread Status:
Not open for further replies.
  1. Fatboy40

    Fatboy40 New Member

    Joined:
    Aug 2, 2010
    Messages:
    170
    Likes Received:
    0
    I'm currently setting up my first 3CX system, to be used in a small business of around 18 users with one that works from home (and possibly more in the future).

    I've published my internal 3CX server to a public IP address and will be sorting out our SIP trunk shortly. My concern after looking at a few other posts here is how secure will 3CX be now that it's publicaly available ?. I'm not concerned about the security of Windows itself (I'm using Windows Server 2003 and IIS) but of 3CX. What sort attacks (excluding things such as DOS) can they suffer ?, if someone becomes aware that a public IP resolves to a SIP server will they then start to flood it with attempts to discover a working extension and password combination ?. Is the only way around this to set cryptic passwords that a standard word filter will not have ?.

    Thanks :)
     
  2. mfm

    mfm Active Member

    Joined:
    Mar 4, 2010
    Messages:
    641
    Likes Received:
    2
    Hi fatboy (always wanted to say that),

    3CX is secure, and no im not saying that because I am 3cx staff. The problem that 3CX presents is the same as any other software including windows.

    1. Unsafe passwords, how long is it going to take someone to figure out that the password of extension 100 is 100?

    2. Users removing blacklist attempt facility because they have an incorrect network setup and a phone is bombarding with too many attempts

    Finally for those that care to read there is a document about this. Follow this religiously and your only worry will be your internal users making too many personal calls.

    http://www.3cx.com/blog/voip-howto/securing-hints/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. xor@redlink.de

    Joined:
    Jan 23, 2009
    Messages:
    18
    Likes Received:
    0
    People usually run tests on open ports that match the services listed for it, e.g. HTTP on port 80. So it's a good idea not to use standard ports. I wouldn't expose 3CX to the internet at all though, there are enough options for secure encrypted connections, e.g. the tunnel client, VPNs (via router or Snom 370s with VPN capable firmware) and so on. Or restrict access to fix IP addresses / dynamic DNS resolution.
     
  4. Fatboy40

    Fatboy40 New Member

    Joined:
    Aug 2, 2010
    Messages:
    170
    Likes Received:
    0
    For the time being I've gone with restricting traffic on the firewall based on IP address, allowing me to test things at home and connect to the SIP trunk provider.

    Thanks for the advice everyone :)
     
  5. LeonidasG

    LeonidasG Support Team
    Staff Member 3CX Support

    Joined:
    Nov 19, 2008
    Messages:
    1,400
    Likes Received:
    79
    We've also added some new Anti-Hacking features in V9 just for this purpose for users that for some reason cannot restrict traffic on the firewall.

    Any attempts to Brute Force or Flood the PBX cause the IP who sent the flood to be blacklisted for a small amount of time you can set yourself.
    You can find this feature in: Settings > Advanced > Anti-Hacking features.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.